Dell laptops may have a Lenovo Superfish-size security problem

Lenovo’s Superfish scandal earlier this year was arguably the worst security flaw since the Sony rootkit debacle of ten years ago. Multiple IdeaPad product lines were shipped with a self-signed HTTPS certificate that could be used to spoof the secure connection that using HTTPS is supposed to guarantee. In simple terms: Laptops with Superfish installed couldn’t actually verify if the banking sites or e-commerce destinations they connected to were actually the sites they claimed to be. There was no simple way to remove the software, and users were forced to jump through multiple hoops to resecure a system. Now, Dell appears to have done something similar, though the investigation is still ongoing.

According to programmer Joe Nord, Dell is shipping a self-signed certificate called eDellRoot. It expires in 2039 and is intended to be used for “All” purposes. Further poking revealed that the user has a private key that corresponds to the certificate, as shown below:

This is a serious problem. In order for cryptography to work, there must be two keys — a public key and a private key. The public key is used to encrypt messages transmitted to the server, while the private key is used by the server to decrypt those messages. The entire concept of public-key cryptography relies on the private key remaining private. Because it’s computationally impractical to derive the private key from analyzing public keys, public keys can be distributed everywhere, while the private keys used to decrypt the information remain under lock and key.

Shipping a computer with a private key already installed means that the key can be extracted and used to sign fraudulent websites. Dell computers with the eDellRoot certificate installed will not recognize that these websites are fraudulent, because the key that they rely on to do so has told the system that they aren’t.

What’s missing from this picture is any sense of why the eDellRoot key is installed on Dell laptops in the first place. In Lenovo’s case, it compromised user security and broke the entire HTTPS model to ship a lousy bit of adware that supposedly enabled “Visual search.” Lenovo later claimed that the revenue it earned from Superfish was tiny, which made sense, but didn’t explain why the company had broken HTTPS security in order to earn a trifling bit of cash.

Dell’s eDellRoot certificate doesn’t seem tied to any specific service or capability. It’s not linked to malware or customer complaints the way Superfish was, and it’s not clear how many systems have shipped with the certificate installed. So far, we’ve seen reports that at least some Inspiron 5000 models are affected. These are Windows 10 machines shipping nine months after Superfish.

The world of OEM systems is cutthroat, with thin margins and aggressive product positioning, but this isn’t exactly a feature anyone asked Dell to copy from Lenovo. It’s not clear yet how large the problem is, but testing has shown that systems with the eDellRoot certificate installed will establish connections to clearly fraudulent sites.

Wondering if your own Dell machine has this problem? This test site is designed to test if your system has eDellRoot installed — if your Dell connects to the link without error when using IE or Chrome, you’ve got an eDellRoot problem. According to Ars Technica, Firefox still reports that the site has certificate issues. Researchers have also apparently told Ars that this certificate can be used to sign applications, bypassing malware checks.

We’ve reached out to Dell, who provided the following statement:

Customer security and privacy is a top concern for Dell. We have a strict policy of minimizing the number of pre-load applications and assessing all applications for their security and usability. Dell has an extensive end-user security practice that develops capabilities and best practices to best protect our customers. We have a team investigating the current situation and will update you as soon as we have more information.

Tagged In

“but this isn’t exactly a feature anyone asked Dell to copy from Lenovo. It’s not clear yet how large the problem is”

It would surprise me if this was a government request. I’m not about to adorn myself with a tin foil hat, but this is a case of “If the shoe fits”. Either way, the thing I’m least surprised about in this article is probably the fact that Firefox picks up that there’s issues with the certificates. Firefox has become extremely aggressive with certificate checks, to the point that seeing green actually makes me think “Wow, that site is really on top of their security!”. Great for the consumer, I suppose, but a little unnerving when you start noticing all the sites that have issues.

Raffi256

More likely they have some support tool that’s pre-installed and probably outsourced to an incompetent vendor.

Kyle

I very much doubt this. While Firefox isn’t flawless in terms of security exploits (there was a pretty big one back in August), they’re very pro-consumer. They wouldn’t be so flaky with how they handle it.

I still remember the last “Mozilla Advocacy” campaign that I participated in. I spent ten seconds filling out their little form, and agreeing, etc. The idea was that they would send a letter to my congressman explaining why X bill would be a terrible idea for Y reasons. Personally, I didn’t actually expect them to do anything.

Then I got a letter from my congressman in response. It was a very bureaucratic response…but a reply non-the-less. I’m not sure how Mozilla ended up sending the information, but I imagine they ate the costs of doing so.

Joel Hruska

I think he meant that *Dell* has the issue with incompetent outsourcing, not Mozilla. And yes, that’s possible.

There is no evidence of malice in the Lenovo case — just shockingly bad vetting of software.

Paul

Firefox uses it’s own certificate store, rather than the one in Windows that IE and Chrome use.

http://panduanpc.com doge

For now we could easily get rid those by clean OS install (and reflash BIOS if necessary).
But just in a matter of time these PC vendors would embed hardware based spyware onto their motherboards. Who knows if they already did.

Futtz

doge speak the truth wowe

http://twitter.com/justingoldberg Justin Goldberg

This command would delete the certificate, but I can’t seem to find it’s serial number. The serial number that the delstore verb requires should be 8 hex characters.

certutil -delstore my serialnumber

Ivor O’Connor

Do you have to worry about this if you use linux on a dell laptop?

Kyle

This looks to be on the OS side of things. I don’t believe it touches the firmware, so you should be good.

Ivor O’Connor

Thanks

Wrong_Side

Fuck! I just checked my Desktop and I found the same one. Looks like Dell is just installing it on everything they are shipping.

Jermain Martinez

To include Alienware?

Fabio Nunes

I have an Alienware Area 51 and I have found this Certificate on my Desktop.

Sir Chester of Game Rant

…. That “test site” is a joke, right?

SoCal Commuter

LOL— love that url…

Scott

More details would be nice. I assume that having a test site means that the key private key is now well known (vs generated uniquely per device)? Once you figure out what they’re using it for, that’d be most interesting.

There is no certification path, so they can’t be revoked, as far as I can tell. The only way is to manually remove the certificate from the Trusted Root Certification Authorities store using CERTMGR.MSC.

Jimmy

After speaking with Dell, I was called today by their tech department. A patch is going out sometime today. They also sent me an email with a link to download the patch myself. I did that, but it told me the eDellroot didn’t exist when I already knew it did…so as of now, I wouldn’t depend on that diagnosis link and patch.

They did provide instructions on how to manually remove it, which I did, and sure enough, there it was in my computer. I was able to delete the program, and now the test site above is not accessible without a warning.

The guy at Dell said they had received calls from A LOT of irate customers about this issue. I’m just glad they resolved it quickly, however, it doesn’t excuse them from putting it there in the first place.

Humza Aamir

Expertly written and explained. Keeps me coming back to ET.

ExtremeTech Newsletter

Subscribe Today to get the latest ExtremeTech news delivered right to your inbox.

Use of this site is governed by our Terms of Use and Privacy Policy. Copyright 1996-2016 Ziff Davis, LLC.PCMag Digital Group All Rights Reserved. ExtremeTech is a registered trademark of Ziff Davis, LLC. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis, LLC. is prohibited.